[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Cisco ASA 5510 VPN Tunnel

Posted on 2008-10-09
5
Medium Priority
?
1,088 Views
Last Modified: 2012-05-05
I have a Cisco ASA 5510 ASA Firmware 8(x).  It is my firewall/perimeter device for the network.  Inside the firewall on the internal LAN, I have a terminal server box.

I want to allow users with the Cisco VPN client to connect via VPN and ONLY be allowed to connect to the specific IP address (a specific port on that IP would be even better) of the terminal server to log in using RDP.  

I have 250 VPN user license and 2 webvpn licenses.  The terminal server is a windows 2008 Standard server.  I have no funds to buy any additional equipment, licenses or software.  I am not able to set up a DMZ or change the IP address of the terminal server.

All suggestions are appreciated.  Thanks in advance.
0
Comment
Question by:scottbortis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22680725
use the VPN wizard on the ASA when you connect via the ASDM from your web browser.  It will ask you what kind of vpn, a site to site or to accept client request, when running throgh the wizard will ask you what network to protect, insert the ip address information for just the host that you want to allow connectivity to through the vpn client.
When you clients vpn then they should be able to only connect to that server.
if you do not want to use vpn then create an access rule to allow connection to that terminal server.
Is this terminal server for administration only? If not then you will need terminal server licenses as well.
0
 
LVL 2

Author Comment

by:scottbortis
ID: 22681807
It seems like it is a problem with the tunnelling group ACL filter.  

I cannot seem to get the filter to only allow traffic from my VPN subnet to just this specific IP.

VPN subnet = 10.3.0.0/24
IP trying to connect is 10.0.0.60

The wizard didn't work.  
0
 
LVL 4

Accepted Solution

by:
yurisk earned 2000 total points
ID: 22684986
There are 2 ways to do it:
1) Old way , applicable to any PIX/ASA versions - in ACl specifiying traffic to encrypt from LAN to VPn clients ip pool , for the LAN part you set the Terminal server IP only , i.e. to encrypt traffic only
from TErminal Server IP to VPN REmote access pool. It doesnt give you option to filter on ports though.
Nowdays CIsco are recommending against this practice, nevertheless it works

2) New way, ASA 7.x and later only - in the group-policy <name> attributes that later you apply to VPN Remote access tunnel group use vpn-filter value <name_of_ACL> , where
name_of_ACL is regular ACL allowing access to specific port of Terminal Server.
Example and further details are here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml 
0
 
LVL 2

Author Comment

by:scottbortis
ID: 22686603
Yeah, it seems that I was having issues with the VPN Filter.  I took portions of the document that you linked yurisk and was able to complete my configuration.  Thank you both for your help.
0
 
LVL 2

Author Closing Comment

by:scottbortis
ID: 31504755
Thanks for your help
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question